Comment on Godaddy VPS by SEO Gold Coast Services.

How to Open Ports on a Godaddy VPS Server Running Centos 7 OpenVZ

I think the new Godaddy VPS hates me.

Figured out why iptables was throwing out an error on line 14 as a freshly built server: I’d made no changes to the server.

The Godaddy Deluxe 4 GB Virtual Private Server which is run under an OpenVZ container (one of the ways a dedicated server is partitioned into multiple VPS servers) starts with all ports closed other than ports 22 (SHH) and port 80 (HTTP).

This means the server is secure, but requires ports opening to use other services like email, MYSQL and a control panel: for example Virtualmin needs amongst other ports, port 10000 and port 20000 open to function.

So a firewall management program should be installed with the server to manage ports.

Iptables is installed and enabled, so should activate at boot, but does not activate due to an error on line 14.
Ip6tables is installed and disabled (turned off).
Firewalld (a more recent firewall sometimes installed with Centos 7) is not installed.

As far as I can tell iptables is the only way to manage ports on the Godaddy VPS running Centos 7.

The line 14 iptables error was caused by Godaddy not enabling multiple iptable kernal modules. These should be installed under the OpenVZ hardware node which Godaddy customers have no access to.

According to https://forum.configserver.com/viewtopic.php?f=6&t=212 the required iptables modules for full iptables support are:

ip_tables
ipt_state
ipt_multiport
iptable_filter
ipt_limit
ipt_LOG
ipt_REJECT
ipt_conntrack
ip_conntrack
ip_conntrack_ftp
iptable_mangle

Other iptables modules for additional functionality:

ipt_owner
ipt_recent
iptable_nat
ipt_REDIRECT

I installed ConfigServer Security & Firewall (CSF) for testing and according to the “/etc/csf/csftest.pl” test, the Godaddy VPS Server is missing at least these modules:

ipt_state/xt_state
xt_connlimit
iptable_nat/ipt_REDIRECT
iptable_nat/ipt_DNAT

The earlier forum post about modules required for CSF to function is from 2007, I assume there’s new iptables modules since then.

Anyway, I confirmed the missing iptables modules by trying to add this iptables rule:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Output:

iptables: No chain/target/match by that name.

Indicates a module is missing, specifically the state module.

I contacted Godaddy support, explained I wanted the iptables modules enabled and Godaddy support enabled them, yeah :-)

Iptables now activated at boot so iptables should work as expected.

Tried installing Virtualmin and guess what, it still didn’t work!!!!

Port 10000 was still closed, port 20000 was open, the same result as before enabling the missing modules!

After a lot of testing with ConfigServer Security & Firewall I was still no closer to figuring this out and was making a bit of a mess, so decided to start from scratch again. I Destroyed and Rebuilt the VPS server AGAIN to start with a fresh Centos 7 installation and now the enabled iptable modules are no longer enabled!!!!

Godaddy Support You Are a bunch of Idiots

I don’t know much about managing OpenVZ, but would assume there’s an option to set the iptables modules to survive a rebuild: if not Godaddy support should have told me the new settings won’t survive a rebuild.

They are a bunch of bloody idiots at Godaddy.
They can’t setup a VPS which works without modifying the server: the support person I dealt with said he has to deal with the missing iptables modules roughly twice a week!
Most of Godaddy support don’t have a clue, you’d have better support asking your pet cat how to fix an issue.

After all this hassle I’m still not sure why port 10000 (and others) won’t open, but port 20000 (and others) will via iptables.

Just to make things more interesting. With the fresh Centos 7 server I disabled and masked iptables/ip6tables so there wouldn’t be any program managing firewall rules. That’s the theory anyway.

Here’s the output for the relevant commands:

# sudo systemctl is-enabled iptables
masked

# sudo systemctl is-enabled ip6tables
masked

# sudo systemctl is-enabled firewalld
Failed to get unit file state for firewalld.service: No such file or directory

With a fresh server ports 22 and 80 are still open all other ports I’ve tested are listed as closed.

Testing ports via: http://ports.my-addr.com/check-all-open-ports-online.php
Ports Tested :20,21,22,25,53,80,110,111,143,443,465,587,993,995,2222,2525,3306,10000,10001,10002,10003,10004,10005,20000

Fresh server with iptables/ip6tables disabled/masked: no control panel installed.

20/tcp closed ftp-data
21/tcp closed ftp
22/tcp open ssh
25/tcp closed smtp
53/tcp closed domain
80/tcp open http
110/tcp closed pop3
111/tcp closed rpcbind
143/tcp closed imap
443/tcp closed https
465/tcp closed smtps
587/tcp closed submission
993/tcp closed imaps
995/tcp closed pop3s
2222/tcp closed EtherNet/IP-1
2525/tcp closed ms-v-worlds
3306/tcp closed mysql
10000/tcp closed snet-sensor-mgmt
10001/tcp closed scp-config
10002/tcp closed documentum
10003/tcp closed documentum_s
10004/tcp closed emcrmirccd
10005/tcp closed stel
20000/tcp closed dnp

The above is as expected.

After installing Virtualmin before a reboot:

20/tcp closed ftp-data
21/tcp closed ftp
22/tcp open ssh
25/tcp open smtp
53/tcp closed domain
80/tcp open http
110/tcp closed pop3
111/tcp open rpcbind
143/tcp closed imap
443/tcp open https
465/tcp closed smtps
587/tcp open submission
993/tcp closed imaps
995/tcp closed pop3s
2222/tcp closed EtherNet/IP-1
2525/tcp closed ms-v-worlds
3306/tcp open mysql
10000/tcp closed snet-sensor-mgmt
10001/tcp closed scp-config
10002/tcp closed documentum
10003/tcp closed documentum_s
10004/tcp closed emcrmirccd
10005/tcp closed stel
20000/tcp closed dnp

Either before or after a reboot I think all these ports should be open.

After installing Virtualmin after a reboot:

20/tcp closed ftp-data
21/tcp closed ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp closed http
110/tcp closed pop3
111/tcp open rpcbind
143/tcp closed imap
443/tcp closed https
465/tcp closed smtps
587/tcp open submission
993/tcp closed imaps
995/tcp closed pop3s
2222/tcp closed EtherNet/IP-1
2525/tcp closed ms-v-worlds
3306/tcp closed mysql
10000/tcp closed snet-sensor-mgmt
10001/tcp closed scp-config
10002/tcp closed documentum
10003/tcp closed documentum_s
10004/tcp closed emcrmirccd
10005/tcp closed stel
20000/tcp open dnp

Why has MYSQL closed? Port 20000 (Usermin) is open, port 10000 (Webmin) is closed!!!

From the Virtualmin log file:

Configuring firewall rules
  Allowing traffic on TCP port: ssh
  Allowing traffic on TCP port: smtp
  Allowing traffic on TCP port: submission
  Allowing traffic on TCP port: domain
  Allowing traffic on TCP port: ftp
  Allowing traffic on TCP port: ftp-data
  Allowing traffic on TCP port: pop3
  Allowing traffic on TCP port: pop3s
  Allowing traffic on TCP port: imap
  Allowing traffic on TCP port: imaps
  Allowing traffic on TCP port: http
  Allowing traffic on TCP port: https
  Allowing traffic on TCP port: 2222
  Allowing traffic on TCP port: 10000
  Allowing traffic on TCP port: 10001
  Allowing traffic on TCP port: 10002
  Allowing traffic on TCP port: 10003
  Allowing traffic on TCP port: 10004
  Allowing traffic on TCP port: 10005
  Allowing traffic on TCP port: 20000
  Allowing traffic on UDP port: domain
  Allowing traffic on UDP port: ftp
  Allowing traffic on UDP port: ftp-data

Contents of the “/etc/sysconfig/iptables” file:

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp -m udp --dport ftp-data -j ACCEPT
-A INPUT -p udp -m udp --dport ftp -j ACCEPT
-A INPUT -p udp -m udp --dport domain -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10005 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10004 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10003 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10002 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport https -j ACCEPT
-A INPUT -p tcp -m tcp --dport http -j ACCEPT
-A INPUT -p tcp -m tcp --dport imaps -j ACCEPT
-A INPUT -p tcp -m tcp --dport imap -j ACCEPT
-A INPUT -p tcp -m tcp --dport pop3s -j ACCEPT
-A INPUT -p tcp -m tcp --dport pop3 -j ACCEPT
-A INPUT -p tcp -m tcp --dport ftp-data -j ACCEPT
-A INPUT -p tcp -m tcp --dport ftp -j ACCEPT
-A INPUT -p tcp -m tcp --dport domain -j ACCEPT
-A INPUT -p tcp -m tcp --dport submission -j ACCEPT
-A INPUT -p tcp -m tcp --dport smtp -j ACCEPT
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

It would appear another program is managing the firewall since iptables/ip6tables is masked and not all the above rules are working.

I’m completely confused?

David

More Comments on Godaddy VPS by SEO Gold Coast Services


Installing Virtualmin Centos 7

Installing Virtualmin On Centos 7 with Iptables/Ip6tables Disabled

Finally figured it out.

Still haven’t a clue how the ports are opening etc… with iptables/ip6tables disabled (masked) in Centos 7, but I got …


WARNING: ipset not usable, disabling ipset usage in firewall.

I’m having this issue with a new Centos 7 VPS and looks like it’s to do with the OpenVZ container.

The server starts with all ports except 22 and 80 closed …


More Comments by SEO Gold Coast Services


Mass Unfollowing Thousands of Twitter Accounts

In my experience there’s very little if any risk in mass unfollowing.

I have Twitter accounts with tens of thousands of followers and tend to mass unfollow on an irregular basis …


Let’s Encrypt 302 Redirects HTTP to HTTPS

I’m glad you asked this question, I’d not realised there was an error in my VPS server setup!

I recently moved to a new VPS server and there was a new …


Google Defamation Process

Most likely Google alone.

Google trusts what they are told via the defamation reports, there doesn’t appear to be any detailed checking on Google’s part!

So if someone makes a credible defamation …


Google Mobile Usability Test

SEO tools like SEOptimer are generally not very good, they are built by programmers who are human and they make mistakes, so I’d take the SEOptimer Usability Device Rendering F …


Twitter Permanent Suspension

When you said “I apply most of the tricks talked about in this article” does that mean you are following at least 400 Twitter accounts everyday and unfollowing them all …


Camping World Biloxi

This is a Camping World Biloxi SEO test.

The Camping World Biloxi Google search phrase sees around 1,900 searches a month, a number 1 Google listing for Camping World Biloxi would …


Revolution Slider JS Bloated

All because I avoid using flashy JS features via plugins like Slider Revolution to maximise pagespeed does not mean I don’t know how to use flashy Javascript features whilst minimising …


GTmetrix Website Speed Test Location

Regarding GTmetrix speed testing you have to take into account hosting location when comparing 2 websites targeting different countries.

My SEO Gold site which mostly targets the UK market is hosted …